Snort mailing list archives
Re: Snort and Barnyard - why do our logs stop
From: beenph <beenph () gmail com>
Date: Tue, 25 Jan 2011 09:18:54 -0500
Yup. On Tue, Jan 25, 2011 at 9:08 AM, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:
So delete the .waldo and then just do a touch and recreate it? -----Original Message----- From: beenph [mailto:beenph () gmail com] Sent: Tuesday, January 25, 2011 7:58 AM To: Gibson, Nathan J. (HSC) Cc: Atkins, Dwane P; snort-users () lists sourceforge net" Subject: Re: [Snort-users] Snort and Barnyard - why do our logs stop You should never manually edit the waldo file for any reason. The best way to handle a waldo file is to delete it and create it empty (by2). On Mon, Jan 24, 2011 at 4:44 PM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:Delete your current snort.log files. Restart snort only for about 5 minutes. Edit your waldo file and put the name for the new snort.log in there starting at row 1 and then restart barnyard. Looks like it trying to process and snort.log it has already processed. Basically trying to stick the same event back into the database it already stuck in there. If that doesn't work, I usually just backup and purge my database and it starts up just fine. From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu] Sent: Monday, January 24, 2011 11:55 AM To: Atkins, Dwane P; 'snort-users () lists sourceforge net"' Subject: Re: [Snort-users] Snort and Barnyard - why do our logs stop 01/24-11:57:37.207454 [**] [1:1394:12] SHELLCODE x86 inc ecx NOOP [**] [Classification: Executable Code was Detected] [Priority: 1] {UDP} 129.111.107.10:5247 -> 129.111.94.116:12929 database: mysql_error: Duplicate entry '1-15358037' for key 'PRIMARY' SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 15358037, 4, '2011-01-24 11:57:37') What does this mean? Why am I getting duplicate entries and how do I discover where the mysql error is? Dwane From: Atkins, Dwane P [mailto:ATKINSD () uthscsa edu] Sent: Monday, January 24, 2011 11:40 AM To: 'snort-users () lists sourceforge net"' Subject: [Snort-users] Snort and Barnyard - why do our logs stop In a normal week, we get maybe two weeks of logs prior to the logging stops. And when I do a ps -ef | grep snort, snort has stopped. Barnyard2 is still is the processes but snort has stopped. Where can I go to investigate this? Is there a log file somewhere that will report why the process has stopped? I am stumped. Why does something work good for two days and then stop? Is it a resource issue? If I need to extend it, I can, but what do I extend to the LVM group? Thank you all for your help. This is starting to get rather frustrating. Dwane ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Barnyard - why do our logs stop Atkins, Dwane P (Jan 24)
- Re: Snort and Barnyard - why do our logs stop Atkins, Dwane P (Jan 24)
- Re: Snort and Barnyard - why do our logs stop Champ Clark III [Softwink] (Jan 24)
- nuking snort Don Florence (Jan 27)
- Re: nuking snort Joel Esler (Jan 28)
- Re: Snort and Barnyard - why do our logs stop Champ Clark III [Softwink] (Jan 24)
- Re: Snort and Barnyard - why do our logs stop Gibson, Nathan J. (HSC) (Jan 24)
- Re: Snort and Barnyard - why do our logs stop beenph (Jan 25)
- Re: Snort and Barnyard - why do our logs stop Atkins, Dwane P (Jan 25)
- Re: Snort and Barnyard - why do our logs stop beenph (Jan 25)
- Re: Snort and Barnyard - why do our logs stop Champ Clark III [Softwink] (Jan 25)
- Re: Snort and Barnyard - why do our logs stop beenph (Jan 25)
- Re: Snort and Barnyard - why do our logs stop Atkins, Dwane P (Jan 24)